Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Facebook Issues Present Possible Threat to Users

UPDATE–A security researcher has identified a pair of security issues in Facebook, one of which can be used to to upload an arbitrary file to the site, and the other of which can allow an attacker to gain control of a victim’s machine under some limited circumstances with user interaction.

The more serious of the vulnerabilities, which were identified by researcher David Sopas of WebSegura, is a reflected file download flaw that an attacker can use to plant a malicious file on a victim’s machine that looks like it is coming from a trusted Facebook domain. Sopas said he found two separate RFD issues on Facebook, both of which are still open right now. An attacker would need quite a bit of help from the user in order to execute an attack, though.

“The first one was present on Graph Facebook API and could be replicated under Internet Explorer 9 just by sending a link,” Sopas said in an advisory.

The attack also works on the current versions of Chrome and Opera, he said.

“To the user the entire process looks like a file is offered for download by Facebook trusted domain and it would not raise any suspicious. A malicious user could gain total control over a victims computer and launch multiple attacks.”

In an email, Sopas said that Facebook’s security team replied to his advisory on Wednesday, saying that they will be back in touch with him soon about the report.

“They didn’t said directly that they’re not going to fix them. Facebook security team told me that they couldn’t control all the ways browsers may allow content downloads or the different app formats that a computer may allow. Just as we speak, I just received the following Facebook message thanking me for reporting this security issues to them and that they’ll contact me again for further bugs or updates. So it seems it will be fixed someday,” Sopas said by email.

RFD attacks are relatively new, and were detailed by Oren Hafif, a researcher at Trustwave’s Spider Labs last year.

“As long as RFD is out there, users should be extremely careful when downloading and executing files from the web. The download link might look perfecty fine and include a popular, trusted domain and use a secure connection, but users still need to be wary,” Hafif wrote in a post explaining the technique.

A Facebook spokesman said that the report from Sopas didn’t meet the company’s criteria for earning a bug bounty.

“Our bug bounty program excludes reports that have no practical security implications, as well as social engineering techniques that require significant interaction from the victim because technical changes are usually not the best way to address these threats,” the spokesman said.

The other issue that Sopas discovered allows an attacker to upload an arbitrary file to Facebook by using a special tool on the site.

“The first security issue I found was that it’s possible to upload a file with any kind of extension to Facebook server via Ads/Tools/Text_Overlay tool. This online tool checks the upload image for too many text on a image to user on their ads,” Sopas said in his advisory. “

“A user can upload executable files or just use Facebook servers as file repository. In my proof-of-concept I uploaded a batch file without any restriction and I can access to it anytime anywhere as long as I’m logged in on my account.”

Sopas said that users need to be careful to inspect the links they’re clicking on, even ones that are from trusted domains.

“Users must be aware of this type of vulnerability and be careful where links come from. Even if they come from a trusted source it might be an attack. Check the link structure. I believe it’s a matter of time for Facebook to fix this,” he said.

Discussion

Last year I found the same problem on AOL Search website. I tried to contact them thousands times but no lucky. I didn't ask for money and they don't have any bounty bug program.
So like you I decided to disclosure in some mail lists and after some days they fixed the problem.
http://seclists.org/fulldisclosure/2015/Mar/6

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.